Managing Network Security

Network Security as a Control Issue

Copyright(c), 1997, Fred Cohen

Series Introduction

Over the last several years, computing has changed to an almost purely
networked environment, but the technical aspects of information protection
have not kept up. As a result, the success of information security programs
have increasingly become a function of our ability to make prudent management
decisions about organizational activities. Managing Network Security
takes a management view of protection and seeks to reconcile the need for
security with the limitations of technology.

How Organizations Succeed

Organizations do not run themselves. They are run by top-level managers
whose job it is to exersize controls so as to bring about success. Like
a truck traveling down a highway, the boss uses powers of observation and
technological aides to view how things are going, understand the situation,
and make adjustments to keep things going in the right direction. The better
the view, understanding, and controls, the better the boss will be able
to control the organization, and the better (we hope) the organization will
operate.

Now comes the information age. The very nature of the way we work is
changing, and over a period of only a few years, the value of the elements
of our organization has shifted. In the industrial age, inventory, manufacturing
facilities, and available cash were the major elements with financial value
that management had to control. But as the information age came, more and
more of the value of organizations moved into information assets. As Jim
Schweitzer so clearly observes in his wonderful book Protecting Business
Information:

The information value represented in business operations and product
strategy plans and reports, which include technical, financial, and operational
data, is probably equal to the value of the company less the value of physical
assets. \dots [That is] the selling price of plants and equipment.

Consider management control over information assets relative to financial
assets. Chances are, top management knows the financials quite well. They
can not only tell you how much they have, but where it comes from, where
it goes, and how they are certain of these facts. The reason they can do
this is that, if they are doing their job well, they exersize effective
control over financial assets. The same is probably true of physical assets.
Top management knows where the plants are, how much inventory is in place,
and they have at least a general idea of how materials move through the
organization, where they come from and where they go to. Odds are, most
of the top management has even visited most of the large plants at one time
or another, gotten a tour, and talked to the key managers.

But if you ask similar questions about information assets, chances are
that top management doesn't even know where to begin the answer. What is
the value of our information? Where is it stored and how is it moved around?
Where does it come from and where does it go? How do we assure that it is
what and where we think it is? Have they ever been given a tour of the corporate
network, seen what goes where, been told about the components involved?

If management can't answer these questions in the same level of detail
as they can for financial or physical assets, it means that the information
assets are out of control, and that means that they are unable to guide
the organization as effectively as they could if those assets were under
control.

There is one saving grace in any new age. The competition is probably
just as out of control of their information assets as you are. Just like
the beginning of the industrial age, management today has the reigns of
a romping bull, and it will take some time before control is regained. But
providence favors those who get their first.

Getting Control

Getting control over your information assets is, essentially, an information
security effort. It involves getting a handle on the value of information,
classifying it, marking it, and making decisions about how to handle it.
It includes knowing and controlling what information goes where when, providing
appropriate levels of assurance about the integrity, availability, and confidentiality
of information, and creating control processes to allow management at all
levels to manipulate, examine, and understand the information environment.
All of these functions have been and continue to be at the heart of information
security.

But the changes in the overall work environment resulting from the increased
use of information technology are closely tied to the way computer networks
allowed control to be localized, in many cases, directly to the desktop.
While central computers under the tight control of data processing shops
were relatively easy to control, the distribution of computation has made
central control a thing of the past. The nature of the information environment
has changed, making it harder and more complex to control, and increasing
the burden on management to find new ways of guiding their organizations.

One of the most common methods used to deal with the distribution of
information processing is to delegate control through data ownership. In
the ownership model of distributed computing, information and technology
is owned by the people who create and use it. This works very well for solving
the problem of micro-managing a widely distributed network. But it also
introduces some difficult challenges.

In many cases, the data owners don't know how to carry out many of their
ownership responsibilities, in large part because they haven't been properly
trained in the control issues, and aided by inadequate coordination. To
address the coordination challenge, many organizations introduce centralized
network coordination people. An organizational email expert might be tasked
with making sure email works properly. The centralized email expert then
coordinates with local experts within each of the sub-organizations, who
in turn coordinate with even more local experts. This forms an email virtual-organization
(we'll call it a vorg for now) consisting of a body of people, most of them
working part-time on the email issues. The same technique is used to manage
network address assignment and connectivity, to solve telephonic communication
problems, and so on.

It all sounds great until you realize that the information protection
function needed to assure control crosses all of these boundaries. Unlike
email, information protection cannot be learned by a skilled programmer
in a few weeks at a few seminars and managed part-time along with payroll
programming. The function of assuring overall organizational control is
tougher than that. Most people who are effective at information protection
have many years of experience in the field. Those who have achieved certifications
have roughly the equivalent of two masters degrees worth of graduate-level
courses in the field and 5 years of professional experience, and like other
types of professionals, require ongoing professional education to stay up-to-date.

Most data owners can decide that they want ccmail or microsoft mail,
and the mail vorg can probably implement the interface. Few data owners
can make prudent decisions about the value of their information assets to
the overall organization, how it should be classified, what system of marking
to use, how to effectively control access, and the hundreds of other similar
decisions required in order to have an effective asset control program.

The email vorg can't make email security decisions alone because these
decisions require coordination with the telecommunications vorg and the
personnel vorg, and so on. In order to properly control this interwoven
collection of vorgs within the larger organization, we need - you've got
it - another vorg.

The Info-Sec Vorg

The info-sec virtual organization has the unusual challenge of crossing
both the data ownership organizations and the technical vorgs. Few, if any,
other vorgs face this challenge, and it can be daunting indeed. That's why
proper internal support and structure is required.

In my experience with large organizations, I find that it is sometimes
useful to use a chess analogy to discuss the organizational issues involved
in creating such a vorg. I talk about kings and queens as being too high
in the organization to be involved with info-sec at an operational level,
and pawns as being too far down the ladder to have a substantial impact.
It's usually the knights, bishops, and rooks that make things happen.

In a large organization, there are many knights and bishops. They are
typically top-level technical people with responsibilities over systems,
networks, technical support of business functions, and the like. While these
are the people that make most of the technical decisions and get much of
the most critical work done, they typically cannot cross organizations very
easily and almost never have enough power to overcome objections or decisions
of local bishops and knights within another part of the organization. The
bishops and knights with technical interest, knowledge, and responsibility
for information protection normally form the technical core of the info-sec
vorg, but they are normally only effective when supported by a rook.

In most large organizations there are relatively few rooks. They are
typically at least one level above the top technical people on the organization
chart and are rarely more than three levels below the CEO. They usually
have titles with words like director or corporate vice president in them.
They are almost never the chief information officer, the chief scientist,
or the head of internal audit, but they typically have the ear of these
people when they wish to be heard.

The reason you need a rook to champion the info-sec vorg is that this
is the only way to prevent local knights and bishops within other vorgs
or data owner areas from overriding all info-sec decisions. When a rook
is involved, it usually takes another rook to counter them. Since there
are relatively few rooks, they tend to know each other, and they tend to
work together regularly. To strictly overrule a rook requires a king or
a queen, so in practice, they are rarely overruled, and overruling them
involves substantial risk for the person who interrupts the busy king or
queen to settle what they will perceive as a local dispute.

Having said all these good things about rooks, there are a few cautions.
In choosing a rook to champion the info-sec vorg, it is vital to select
someone who is secure in their job, has the respect of most or all of the
other rooks, and has some interest in information protection. These conditions
prevent having the rug pulled out from under the info-sec vorg whenever
a dispute arises or the company is undergoing what has euphemistically come
to be called rightsizing.

Ideally, the info-sec vorg is championed by a top-level information protection
expert hired for the specific function of information protection. If your
organization has taken this enlightened approach, the rook will be calling
the bishops and knights together to form the vorg - or more likely already
has. If you have had an effective vorg for a long enough time, the rook
has either become that top-level information protection person, one has
been hired, or one of the people in the vorg who works for or closely with
the rook has become the de-facto expert.

So the info-sec vorg normally consists of a few bishops and knights who
concentrate on information protection issues - most often from corporate
headquarters and/or a few of the larger divisions, a rook at headquarters
who champions the cause and ultimately heads up corporate info-sec, a set
of other knights and bishops co-opted part-time from data owner organizations,
and at least one representative from each of the vorgs that participate
in implementing info-sec related decisions.

How The Info-Sec Vorg Operates

In normal operation, the info-sec vorg meets about quarterly to discuss
large-scale issues, remain in touch, and coordinate changes in large-scale
structure. These meetings usually also include exchanges of information
such as new techniques being put in place and new requirements and new systems
coming on line. As part of the meeting, expertise with particular products,
technologies, and techniques are exchanged, new contact points are provided,
and long-term progress is made. New people are also introduced to the group
on an ongoing basis, an occasional celebrity visit from the rook is made,
and on rare occasions, the CIO or a newly appointed company official may
show up. In some more advanced info-sec vorgs there may even be a long-term
outside info-sec consultant and a special-topic speaker at meetings.

Members of the vorg commonly communicate regarding areas of overlap.
For example, the info-sec vorg member who is also in the email vorg will
likely have regular communications with the telecommunications vorg-member
and they will likely coordinate communications security issues related to
email on an ongoing basis, calling on other info-sec vorg members when needed.
Similarly, vorg members will likely be on many project teams and act as
day-to-day points of contact between the info-sec vorg and the project team.

In emergency conditions, such as a case where a widespread incident occurs
within the company, many or most of the info-sec vorg members may get involved
in real-time.

The rook who underwrites the info-sec vorg will either head up to vorg
personally or be kept up to date by one or more vorg members on a periodic
basis, may request written reports and cost justifications from time to
time, and may handle budgeting for the vorg if it becomes a sufficiently
formal vorg within the company. The rook will also periodically call on
vorg members to clarify matters, help settle disputes, and perform other
vorg-related activities. On some occasions, the rook may also want to use
the vorg for visibility or provide the vorg with visibility.

Summary

The movement toward a highly distributed computing environment has been
reflected in a highly distributed management control process. This management
process often consists of virtual organizations - vorgs.

Info-sec vorgs rule by consensus, good will, moral persuasion, and strategic
placement and planning. They derive their power from momentum, the weight
of their aggregate force within the organization, and the strength of their
champion.

Info-sec vorgs provide management with control by providing an ability
to effect large-scale changes, providing an ability to collect and aggregate
information from the entire organization, and providing expertise to analyze
and make prudent decisions based on that information.

About The Author

Fred Cohen is a Senior Member of Technical Staff at Sandia National Laboratories
and a Senior Partner of Fred Cohen and Associates in Livermore California,
an executive consulting and education group specializing information protection.
He can be reached by sending email to fred at all.net.